Ubuntu 22.04 LTS apt-get update 报 Key is stored in legacy trusted.gpg keyring 警告解决方案

背景介绍

在 Ubuntu 22.04 LTS 下更新源 apt-get update 遇到了Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details. 这样的警告。

虽然说警告并不影响执行，但是作为有重度代码强迫症和代码洁癖的患者看着还是很难受，所以还是解决一下吧。

为了讲清楚这个问题我用安装 Docker 和安装 Kubernetes 这两个作为案例。

问题重现

一般情况下，Ubuntu 通过 apt-get 安装软件之前需要将系统的源改成本地源以达到加快下载速度的目的，比如改成：阿里、清华、网易这些源。

修改软件源之后就需要通过 apt-get update 命令更新软件源了，但是在 Ubuntu 22.04 LTS 下就出现问题了。

root@k8s-worker-01:/etc/apt# apt-get update 
Hit:1 https://mirrors.aliyun.com/ubuntu-ports jammy InRelease
Hit:2 https://download.docker.com/linux/ubuntu jammy InRelease
Hit:3 https://mirrors.aliyun.com/ubuntu-ports jammy-updates InRelease
Hit:4 https://mirrors.aliyun.com/ubuntu-ports jammy-backports InRelease
Hit:5 https://mirrors.aliyun.com/ubuntu-ports jammy-security InRelease
Get:6 https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial InRelease [8993 B]
Fetched 8993 B in 3s (2909 B/s)   
Reading package lists... Done
W: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

这个警告大概的意思是我们把软件包的秘钥保存到了 /etc/apt/trusted.gpg 这个老版本系统的文件里。

这里系统提示只是告诉你新版系统不能把秘钥放在 /etc/apt/trusted.gpg 里，但是没告诉我们新版系统的秘钥究竟要放在那里。

解决方案

其实答案很简单，就在 /etc/apt/trusted.gpg.d 目录下。

root@k8s-worker-01:/etc/apt# ls trusted.gpg.d/
ubuntu-keyring-2012-cdimage.gpg  ubuntu-keyring-2018-archive.gpg

可以看到，已经有两个系统秘钥文件了。

现在我就以安装 Docker 和 Kubernetes 的整个过程来解决这个问题。

1. 添加秘钥

添加 Docker key

curl https://download.docker.com/linux/ubuntu/gpg | apt-key add -

添加 Kubernetes key：

curl https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add -

添加完秘钥之后你会发现 /etc/apt 目录下多了一个 trusted.gpg 文件：

root@k8s-worker-01:/etc/apt# ls
apt.conf.d   keyrings       sources.list      sources.list.d  trusted.gpg.d
auth.conf.d  preferences.d  sources.list.bak  trusted.gpg

2. 添加软件源

添加 docker 软件源：

cat > /etc/apt/sources.list.d/docker.list << EOF
deb https://download.docker.com/linux/ubuntu jammy stable
EOF

添加 Kubernetes 软件源：

cat > /etc/apt/sources.list.d/kubernetes.list << EOF
deb https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial main
EOF

3. 更新源

因为我们添加了两条秘钥，所以在更新源的时候就会出现两条警告：

root@k8s-worker-01:/etc/apt# apt-get update 
Hit:1 https://mirrors.aliyun.com/ubuntu-ports jammy InRelease
Hit:2 https://download.docker.com/linux/ubuntu jammy InRelease
Hit:3 https://mirrors.aliyun.com/ubuntu-ports jammy-updates InRelease
Hit:4 https://mirrors.aliyun.com/ubuntu-ports jammy-backports InRelease
Hit:5 https://mirrors.aliyun.com/ubuntu-ports jammy-security InRelease
Get:6 https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial InRelease [8993 B]
Fetched 8993 B in 3s (2909 B/s)   
Reading package lists... Done
W: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://mirrors.aliyun.com/kubernetes/apt/dists/kubernetes-xenial/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

4. 查询秘钥

通过 apt-key list 查询服务器上所有的秘钥：

root@k8s-worker-01:/etc/apt# apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub   rsa2048 2022-05-21 [SC]
      A362 B822 F6DE DC65 2817  EA46 B53D C80D 13ED EF05
uid           [ unknown] Rapture Automatic Signing Key (cloud-rapture-signing-key-2022-03-07-08_01_01.pub)
sub   rsa2048 2022-05-21 [E]

pub   rsa4096 2017-02-22 [SCEA]
      9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88
uid           [ unknown] Docker Release (CE deb) <[email protected]>
sub   rsa4096 2017-02-22 [S]

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <[email protected]>

根据输出的信息可知，服务器上一共有 3 个文件和 4 个秘钥，其中最上面的两个是我们刚刚安装的秘钥，信息存储在 /etc/apt/trusted.gpg 这个文件中，系统自带秘钥不用去管它。

5. 导出秘钥

根据上诉输出的信息可知，每个秘钥的第二行都有一串十六进制的编码，这个编码就是这个秘钥的 id：

A362 B822 F6DE DC65 2817  EA46 B53D C80D 13ED EF05
9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88

找到导致 apt-get update 警告的秘钥然后导出：

apt-key export 13EDEF05 | gpg --dearmour -o /etc/apt/trusted.gpg.d/docker.gpg
apt-key export 0EBFCD88 | gpg --dearmour -o /etc/apt/trusted.gpg.d/kubernetes.gpg

注意：导出时的秘钥只需要后 8 位的 id 即可，而且 id 之间没有空格。

导出后你会发现在 /etc/apt/trusted.gpg.d 目录下多了两个二进制文件，这两个二进制文件就是我们刚刚导出的：

root@k8s-worker-01:/etc/apt/trusted.gpg.d# ls
ubuntu-keyring-2012-cdimage.gpg  ubuntu-keyring-2018-archive.gpg
root@k8s-worker-01:/etc/apt/trusted.gpg.d# apt-key export 13EDEF05 | gpg --dearmour -o /etc/apt/trusted.gpg.d/docker.gpg
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
root@k8s-worker-01:/etc/apt/trusted.gpg.d# apt-key export 0EBFCD88 | gpg --dearmour -o /etc/apt/trusted.gpg.d/kubernetes.gpg
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
root@k8s-worker-01:/etc/apt/trusted.gpg.d# ls
docker.gpg  kubernetes.gpg  ubuntu-keyring-2012-cdimage.gpg  ubuntu-keyring-2018-archive.gpg

6. 删除秘钥

将秘钥导出后就可以把/etc/apt 目录下 trusted.gpg 文件删除了：

root@k8s-worker-01:/etc/apt# ls
apt.conf.d   keyrings       sources.list      sources.list.d  trusted.gpg.d
auth.conf.d  preferences.d  sources.list.bak  trusted.gpg  trusted.gpg~
root@k8s-worker-01:/etc/apt# rm trusted.gpg trusted.gpg~
root@k8s-worker-01:/etc/apt# ls
apt.conf.d  auth.conf.d  keyrings  preferences.d  sources.list  sources.list.bak  sources.list.d  trusted.gpg.d

最后再通过 apt-key list 查询一下服务器上所有的秘钥：

root@k8s-worker-01:/etc/apt# apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg.d/docker.gpg
---------------------------------
pub   rsa2048 2022-05-21 [SC]
      A362 B822 F6DE DC65 2817  EA46 B53D C80D 13ED EF05
uid           [ unknown] Rapture Automatic Signing Key (cloud-rapture-signing-key-2022-03-07-08_01_01.pub)
sub   rsa2048 2022-05-21 [E]

/etc/apt/trusted.gpg.d/kubernetes.gpg
-------------------------------------
pub   rsa4096 2017-02-22 [SCEA]
      9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88
uid           [ unknown] Docker Release (CE deb) <[email protected]>
sub   rsa4096 2017-02-22 [S]

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <[email protected]>

7. 再次更新源

根据上诉输出的信息可知，服务器上现在一共有 4 个文件和 4 个秘钥，其中最上面的两个是我们刚刚添加到 /etc/apt/trusted.gpg.d 目录下的。

通过 apt-get update 命令尝试再次更新源：

root@k8s-worker-01:/etc/apt# apt-get update
Hit:1 https://mirrors.aliyun.com/ubuntu-ports jammy InRelease
Hit:2 https://download.docker.com/linux/ubuntu jammy InRelease
Hit:3 https://mirrors.aliyun.com/ubuntu-ports jammy-updates InRelease
Hit:4 https://mirrors.aliyun.com/ubuntu-ports jammy-backports InRelease
Hit:5 https://mirrors.aliyun.com/ubuntu-ports jammy-security InRelease
Get:6 https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial InRelease [8993 B]
Fetched 8993 B in 3s (3491 B/s)                        
Reading package lists... Done

结果输出后发现并没有任何警告，完全符合预期，完美解决！